From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug Date: Fri, 27 Feb 2026 13:40:53 +1000 Message-ID: In-Reply-To: <20260225101532.13260-3-dev@lankhorst.se> References: <20260225101532.13260-3-dev@lankhorst.se> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: Fix use-after-free on framebuffers and property blobs when calling= drm_dev_unplug Author: Maarten Lankhorst Patches: 2 Reviewed: 2026-02-27T13:40:53.647211 --- This is a single-patch series fixing a real use-after-free triggered when `= drm_dev_unplug()` races with compositor file descriptor close. The problem = is well-understood: framebuffers and property blobs referenced by `struct d= rm_file` can be freed by `drm_mode_config_cleanup()` during device teardown= , leaving dangling pointers that crash when the file is later closed. The a= pproach is reasonable =E2=80=94 gate the `drm_file_free()` modeset cleanup = with `drm_dev_enter()`, and proactively drop file references from `drm_dev_= unplug()` once `drm_dev_enter()` is guaranteed to fail. However, there are **locking concerns** that should be addressed before mer= ging, and a few minor issues. --- --- Generated by Claude Code Patch Reviewer